From 1aa3f7a7fd24c651aafde150351328148fd517be Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 6 May 2021 14:10:44 -0400
Subject: [PATCH] Only attempt to upgrade ACME configuration files if deployed

This can happen on upgrades from older deployments that lack
an ACME installation and don't meet the minimum requirements
to deploy one automatically.

Also don't consider missing ACME schema a total failure, just
log and skip it.

https://pagure.io/freeipa/issue/8832

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
 ipaserver/install/server/upgrade.py | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index e60524084..75bf26b8e 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1122,7 +1122,8 @@ def ca_upgrade_schema(ca):
             acme_schema_ldif = path
             break
     else:
-        raise RuntimeError('ACME schema file not found')
+        logger.info('ACME schema is not available')
+        return False
 
     schema_files=[
         '/usr/share/pki/server/conf/schema-certProfile.ldif',
@@ -1530,6 +1531,16 @@ def ca_update_acme_configuration(ca, fqdn):
     """
     Re-apply the templates in case anyting has been updated.
     """
+    logger.info('[Updating ACME configuration]')
+    if not os.path.isdir(os.path.join(paths.PKI_TOMCAT, 'acme')):
+        logger.info('ACME is not deployed, skipping')
+        return
+
+    if not os.path.exists(paths.PKI_ACME_ISSUER_CONF):
+        logger.info('ACME configuration file %s is missing',
+                    paths.PKI_ACME_ISSUER_CONF)
+        return
+
     password = directivesetter.get_directive(
         paths.PKI_ACME_ISSUER_CONF,
         'password',
-- 
2.31.1